b'  CONTROLS OVER ELECTRONIC DOCUMENT MANAGEMENT\n\nReport No. D-2001-101                      April 16, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Report\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Audits\n\n  To suggest ideas for or to request audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nDFAS                  Defense Finance and Accounting Service\nDITSCAP               DoD Information Technology Security Certification and\n                         Accreditation Process\nDPPS                  Defense Procurement Payment System\nEDM                   Electronic Document Management\nMOCAS                 Mechanization of Contract Administration Services\n\x0c\x0c                       Office of the Inspector General, DoD\nReport No. D-2001-101                                               April 16, 2001\n (Project No. D2000FG-0057.02)\n\n                             Controls Over Electronic\n                              Document Management\n\n                                 Executive Summary\n\nIntroduction. On May 21, 1997, the Under Secretary of Defense (Comptroller)\ndirected the move to a paper-free contracting process which would modernize the\nacquisition processes of contract writing, administration, finance, and auditing. The\nDefense Finance and Accounting Service (DFAS) initiated Electronic Document\nManagement as part of the DoD Paper-Free Contracting Initiative. Electronic\nDocument Management contributes to the initiative by digitizing paper documents and\noffering read-only access to official contracts and modifications, invoices, and\naccounting and finance documents. Personnel at DFAS Columbus rely on the\ninformation accessed from Electronic Document Management to make an average of\n82,000 contract payments totaling $6 billion each month ($72 billion annually). The\nDirector, DFAS Columbus, requested that we review Electronic Document\nManagement to determine whether sufficient safeguards are in place to ensure the\nsecurity of electronic contract data.\n\nObjectives. The audit objective was to determine whether the security of Electronic\nDocument Management at DFAS Columbus was adequate. The audit included reviews\nof selected general controls, compliance with the Chief Financial Officers Act\nrequirements, and the management control program as it related to the overall\nobjective.\n\nResults. Electronic Document Management access controls were not sufficient and\ncould not provide reasonable assurance that data accumulated electronically and used by\nDFAS Columbus were secure. Specifically, DFAS security over Electronic Document\nManagement needed improvement in password management, audit log configuration,\nDocument Capture Center accountability, and convenience scanner control to\nadequately safeguard the security of electronically stored contractual data. Further,\nunless corrective actions are taken, data maintained in Electronic Document\nManagement could be altered or misused without detection. These Electronic\nDocument Management deficiencies identified in this audit were also identified in an\nAugust 1998 Electronic Document Management security test and evaluation performed\nby DFAS to accredit Electronic Document Management. However, the DFAS\nElectronic Document Management program office had the misconception that it did not\nneed to correct all the identified findings after the DFAS Chief Information Officer\ngranted accreditation to the program. Additionally, because of an administrative\n\x0coversight, the DFAS Chief Information Officer did not follow up on the reported\nfindings to ensure that they were corrected. See the Finding section of the report for\ndetails on the audit results.\n\nSummary of Recommendations. We recommend that the Director, DFAS, establish\naccess controls that allow users to change passwords without any assistance, establish\naudit logs that can positively identify users and their actions, incorporate individual\nidentification and authentication for operators of the high volume scanners within the\nDocument Capture Center, and control access to the convenience scanners based on\nleast privilege at DFAS Columbus. Additionally, we recommend that the Director,\nDFAS, conduct and document required security reviews as stated in the Electronic\nDocument Management accreditation letter.\n\nManagement Comments. DFAS concurred with establishing access controls for users\nof Electronic Document Management that allow users to change passwords without any\nassistance. DFAS partially concurred with establishing audit log generation and\nmaintenance into Electronic Document Management that can positively identify users\nand their actions. DFAS partially concurred with incorporating individual identification\nand authentication and an inactivity logout for operators of the high volume scanners\nwithin the Document Capture Center, stating that a contractor evaluation would identify\nthe actions required to correct the problem. DFAS concurred with incorporating access\ncontrols to the Electronic Document Management convenience scanners based on least\nprivilege, and an automatic inactivity user logout. DFAS concurred with conducting\nand documenting required reviews as stated in the Electronic Document Management\naccreditation letter. A discussion of management comments is in the Finding section of\nthe report and the complete text is in the Management Comments section.\n\nAudit Response. Management comments were generally responsive. However, the\ncomments responding to the establishment of usernames and passwords and an\ninactivity logout feature on the high volume scanners were partially responsive. Since\nthe contractor evaluation should have been completed, DFAS should state what\ncorrective actions will be taken and when the actions will be accomplished. We request\nthat the Director, DFAS, provide additional comments in response to the final report by\nJune 16, 2001.\n\n\n\n\n                                           ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\nIntroduction\n     Background                                                           1\n     Objectives                                                           3\n\nFinding\n     Implementation of Security Safeguards Over Electronic Document\n       Management                                                         4\n\nAppendixes\n     A. Audit Process\n           Scope                                                         13\n           Methodology                                                   14\n           Management Control Program Review                             14\n     B. Prior Coverage                                                   16\n     C. Report Distribution                                              17\n\nManagement Comments\n     Defense Finance and Accounting Service, Chief Information Officer   19\n     Defense Finance and Accounting Service, Director, Contract Pay\n       Services                                                          21\n\x0cBackground\n    The Director, Defense Finance and Accounting Service (DFAS) Columbus,\n    requested that we review Electronic Document Management (EDM) to\n    determine whether sufficient safeguards are in place to ensure the security of\n    electronically stored contractual data.\n\n    Paper-Free Contracting Initiative. On May 21, 1997, the Under Secretary of\n    Defense (Comptroller) directed the move to a paper-free contracting process and\n    stated the need to simplify and modernize the acquisition process in contract\n    writing, administration, finance, and auditing.\n\n    Defense Finance and Accounting Service Columbus. To support the Paper-\n    Free Contracting Initiative, DFAS began EDM at DFAS Columbus. DFAS\n    contracted with Electronic Data Systems, Incorporated, to operate and maintain\n    EDM. EDM was first implemented on a limited basis in June 1997 to reduce\n    the amount of paper used and stored by DoD contracting personnel, reduce\n    contract payment cycle time, improve efficiency, increase customer service, and\n    comply with the DoD paper reduction initiative. DFAS plans to cancel EDM as\n    a separate program and merge portions of it into the Defense Procurement\n    Payment System (DPPS) before 2002. Accordingly, any deficiencies found in\n    EDM that are incorporated into DPPS must be corrected before the transition to\n    DPPS is undertaken.\n\n    Electronic Document Management. EDM digitizes paper documents received\n    through the U.S. mail and offers online access to a large volume of financial\n    and accounting documents, such as contracts, contract modifications, invoices,\n    and receiving reports. The documents stored in EDM are protected under the\n    Privacy Act and considered sensitive in nature. EDM was designed to allow the\n    user to view, retrieve, move, and store official financial and accounting\n    documents. Personnel at DFAS Columbus rely on the information accessed\n    from EDM to make an average of 82,000 contract payments totaling $6 billion\n    each month ($72 billion annually). As of August 2000, EDM stored\n    approximately 4.6 million financial documents. EDM was fully implemented at\n    DFAS Columbus for use with the Mechanization of Contract Administration\n    Services (MOCAS) system in July 2000. MOCAS is a contract payment system\n    used by DFAS in the administration and payment for hardware, supplies, and\n    services.\n\n\n\n\n                                        1\n\x0cEDM Process. The EDM system is an automated information system that\nconsists of three subsystems: document capture, indexing, and workflow. The\nfollowing figure illustrates the EDM process and flow of data.\n\n\n\n\n        Document Capture. The scanning for EDM is accomplished in the\nDocument Capture Center at DFAS Columbus. The Document Capture Center\nreceives paper documents such as contracts, contract modifications, invoices,\nand receiving reports through the U.S. mail, from DoD components and\nGovernment contractors. The Document Capture Center is secured with\nrestricted access because the system servers are stored in that area. Document\nCapture Center clerks use high volume scanners to scan the documents into\nEDM. Document conversion software is used to convert the paper documents\ninto digitized images. Once scanned and determined acceptable through quality\nassurance techniques, the images are forwarded into a document process queue\nfor indexing by MOCAS clerks. The paper documents are stored for 90 days,\nthen destroyed.\n\n       Indexing. The indexing process uniquely identifies each document\nwithin EDM. All MOCAS clerks who have access to EDM have the ability to\nindex images into EDM. The MOCAS clerks review the image of the scanned\ndocument and manually enter the required index fields into EDM. Index fields\n\n\n                                  2\n\x0c     include such items as the contract number, invoice number, and receiving dates.\n     After indexing, the image is electronically stored in a workflow folder for\n     payment processing.\n\n             Workflow. EDM imaged documents are organized into workflow cases\n     that require a specific task to be completed, such as the compilation of\n     documents to prepare an invoice for payment. Images could also be stored for\n     future use. Workflow allows for retrieval, viewing, and processing of\n     documents within EDM by MOCAS clerks.\n\n             Convenience Scanners. DFAS Columbus installed convenience\n     scanners within the three MOCAS payment divisions. The convenience\n     scanners are located in an open area in each of the payment divisions and can be\n     used by all MOCAS clerks. The convenience scanners are used to scan high\n     priority documents so as to reduce the number of late payments by DFAS.\n     When additional documents are needed to complete a transaction, the MOCAS\n     clerk contacts the document originator and requests the document. High priority\n     documents bypass the Document Capture Center and are directly received by the\n     MOCAS clerk for processing thought a convenience scanner. The MOCAS\n     clerk indexes the image and completes the related tasks based on the type of\n     document. The convenience scanners offer no limitation in the amount or the\n     type of documents that the MOCAS clerks can input into EDM.\n\nObjectives\n     The audit objective was to determine whether the security of Electronic\n     Document Management at DFAS Columbus was adequate. The audit included\n     reviews of selected general controls and compliance with the Chief Financial\n     Officers Act requirements and the management control program as it related to\n     the overall objective. Refer to Appendix A for discussion of the management\n     control program.\n\n\n\n\n                                        3\n\x0c           Implementation of Security Safeguards\n           Over Electronic Document Management\n           Access controls over EDM at DFAS Columbus were not sufficient to\n           provide users with reasonable assurance that the electronic data\n           maintained were accurate. Specifically, password management, audit log\n           configuration, Document Capture Center accountability, and convenience\n           scanner control needed improvement. DFAS first identified the EDM\n           deficiencies in a 1998 security test and evaluation conducted to accredit\n           the system; however, the EDM Program Manager did not correct the\n           deficiencies. The DFAS Electronic Document Management program\n           office had the misconception that they did not need to correct all the\n           identified findings. Additionally, because of an administrative oversight,\n           the DFAS Chief Information Officer did not conduct required reviews to\n           determine whether the EDM Program Manager had corrected the\n           deficiencies. As a result, data maintained in EDM may still be subject to\n           undetected alteration or misuse.\n\nGuidance for Securing EDM\n    DoD System Security Requirement. DoD Directive 5200.28, \xe2\x80\x9cSecurity\n    Requirements for Automated Information Systems (AIS),\xe2\x80\x9d March 21, 1988,\n    provides guidance on mandatory minimum automated information system\n    security requirements. Specifically, the Directive requires that safeguards will\n    be in place to ensure each person having access to an automated information\n    system will be held accountable for his or her actions on that information\n    system. The primary method for identifying users involves the individual user\n    account and password to control access.\n\n    DoD System Certification and Accreditation Manual. DoD Manual 8510.1,\n    \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation Process\n    (DITSCAP) Application Document,\xe2\x80\x9d July 31, 2000, (the accreditation process),\n    establishes standards for certifying and accrediting the security of DoD systems\n    throughout their life cycle. A certification is a comprehensive evaluation of the\n    technical and nontechnical security features of an information technology system\n    and other safeguards. The certification supports the accreditation process that\n    determines whether a particular design and implementation meets a set of\n    specified security requirements. The accreditation is a formal declaration by a\n    designated approving authority that an information technology system is\n    approved to operate in a particular security mode using a prescribed set of\n    safeguards. Additionally, the designated approving authority assumes the\n    overall responsibility for the security of the operation and ensures that all\n    safeguards required in DoD Directive 5200.28 are implemented and maintained.\n    The EDM security plan, August 7, 1998, stated that the DFAS Chief\n    Information Officer is the designated approving authority.\n\n    DFAS System Security Guidance. DFAS Regulation 8000.1-R, \xe2\x80\x9cInformation\n    Management Corporate Policy,\xe2\x80\x9d May 21, 1999, describes DFAS information\n\n                                       4\n\x0c           security requirements and implementing instructions, including the requirement\n           that all DFAS-owned automated information systems be certified and accredited\n           in accordance with the \xe2\x80\x9cDFAS Certification and Accreditation Handbook,\xe2\x80\x9d\n           March 6, 1998. The DFAS Handbook follows a similar process as that\n           described in the DITSCAP. EDM was certified and accredited on August 7,\n           1998, using the DFAS Certification and Accreditation Handbook.\n\nAccess Controls for EDM\n           Access and physical controls at DFAS Columbus were not sufficient to provide\n           reasonable assurance that the documents contained in EDM were accurate and\n           could be relied on to set up payments within MOCAS. Access controls protect\n           and control who can log on to a system; ensure that security mechanisms are in\n           place to make decisions regarding access to resources; and, provide a capability\n           to generate a reliable log of user actions. Physical security controls include\n           steps to prevent tampering and intrusion. Specifically, EDM lacked the\n           following controls.\n\n               \xe2\x80\xa2    EDM users lacked the ability to independently change passwords.\n\n               \xe2\x80\xa2    Audit logs were not properly configured to ensure security measures\n                    were working properly.\n\n               \xe2\x80\xa2    The Document Capture Center lacked individual accountability for the\n                    scanning clerks.\n\n               \xe2\x80\xa2    The convenience scanners lacked access controls based on least\n                    privilege1 and physical security controls.\n\n                   Password Management. Access to EDM is through password and\n           username. Passwords are used to authenticate the user to ensure that only\n           authorized personnel have access to EDM. However, password controls were\n           not adequate because EDM users lacked the ability to change passwords without\n           the assistance of the system administrator. According to National Computer\n           Security Center Standard 002-85, \xe2\x80\x9cDoD Password Management Guide,\xe2\x80\x9d\n           April 12, 1985, passwords should be changed on a periodic basis and users\n           should be permitted to change their passwords without intervention by others to\n           counter the possibility of undetected password compromise. In addition, users\n           are to protect passwords from compromise and to avoid needless exposure of\n           passwords. A password that has been compromised will allow an unauthorized\n           user to have access to the system until passwords are changed and properly\n           protected.\n\n                   For EDM, the systems administrator generates the logon and passwords\n           for the users and notifies the individuals of their new passwords. The system\n           generated password is supplied by the EDM system administrator to the\n           information system security officer, the terminal area security officer, and\n\n1\n    DoD Directive 5200.28 defines the concept of least privilege as that which grants users only enough\n    access to the system(s) to complete their official duties.\n\n                                                      5\n\x0cfinally to the user. Therefore, the passwords for EDM users have been exposed\nto others and are subject to compromise. DFAS should establish access controls\nfor users of EDM that allow users to change passwords without any assistance.\n\n        Audit Log Configuration. Auditing logs are used to provide assurance\nthat protection mechanisms are working as expected by capturing user actions.\nHowever, the EDM audit logs could not be relied on to capture user actions\nbecause the audit logs were not properly configured at DFAS Columbus. The\nNational Computer Security Center Technical Guide 028, \xe2\x80\x9cAssessing Controlled\nAccess Protection,\xe2\x80\x9d May 25, 1992, states that the purpose of the audit log\nfunction for systems is to detect repeated attempts to bypass protection\nmechanisms, to monitor use of privileges, and to provide additional assurance\nthat the protection mechanisms are working. The EDM audit logs were not\ncapturing audit data because the audit function was not fully turned on. The\nEDM security test and evaluation stated that if the audit logs were fully turned\non, the performance of EDM would be degraded.\n\n        Specifically, the audit log for the EDM system did not capture which\nuser accessed the system; which files the user opened, deleted, or modified;\nwhat programs the user executed, and whether the user used or attempted to use\nfiles and programs to which the user was not granted access. Because the audit\nlogs can not positively identify users and their actions, the audit logs are not\neffective in preventing or detecting potential abuse. DFAS should determine\nwhat safeguards can be put in place before EDM performance is degraded to the\npoint where it is not cost-effective. In doing so, DFAS should establish EDM\naudit log generation and maintenance procedures that would positively identify\nusers and their actions.\n\n        Document Capture Center Accountability. Access to the high-volume\nscanners in the Document Capture Center is through username and password.\nPasswords are used to authenticate the user to ensure that only authorized\npersonnel have access to the high-volume scanners. However, DFAS allowed\npersonnel in the Center to share the same username and password. DoD\nDirective 5200.28 states that individual accountability is required on all DoD\ninformation systems that hold sensitive information. Personnel in the Document\nCapture Center prepare documents for scanning and enter them into EDM. The\nDocument Capture Center had 4 high-volume scanners and maintains a\nworkforce of 34 people. Specific problems with the Document Capture Center\nare as follows.\n\n       \xe2\x80\xa2   Each high-volume scanner had a single username and password for\n           all 34 DFAS personnel that work within the Document Capture\n           Center; therefore, the security controls could not tell which user\n           performed specific transactions.\n\n\n\n\n                                   6\n\x0c       \xe2\x80\xa2   For each workstation, the username and password had not been\n           changed since EDM became operational on August 7, 1998. At\n           times the passwords were posted on the workstations for training\n           purposes; therefore, unauthorized personnel with access to the\n           Document Capture Center could gain access to the high-volume\n           scanners and enter transactions. DFAS personnel stated that\n           passwords were changed in late November 2000 as a result of our\n           audit.\n\n       \xe2\x80\xa2   Multiple incorrect sequential attempts to access the high-volume\n           scanners could be made without the system locking the user out;\n           therefore, unauthorized personnel could make repeated attempts to\n           compromise passwords of the high volume scanners without being\n           stopped.\n       \xe2\x80\xa2   During periods of inactivity there was no automatic system logoff;\n           therefore, when a legitimate user leaves a workstation, unauthorized\n           personnel would have access to the high-volume scanners and could\n           enter documents.\n\n       \xe2\x80\xa2   The Document Capture Center had 34 authorized employees, but 200\n           additional people had key-cards that gave them access to the room;\n           therefore, these 200 personnel could get access to the high-volume\n           scanners and could enter transactions if other access controls were\n           compromised.\n\nBecause of the ineffective access controls on the high-volume scanners, DFAS\nwould not be able to affix individual accountability to any person for any\ninappropriate activity within the Document Capture Center. DFAS should\nincorporate individual identification and authentication and an inactivity logout\nfor operators of the high volume scanners.\n\n        Convenience Scanner Control. High priority contractual documents\nsuch as potential late payments can be entered into EDM by using the\nconvenience scanners to accelerate the payment process. However, DFAS\nColumbus did not control access to the convenience scanners in order to limit\nwho can enter documents into EDM. The convenience scanners lack access\ncontrols based on least privilege and physical security controls. According to\nDoD Directive 5200.28, access controls involve the input of user identification\nand passwords that are linked to predetermined access privileges and can be\nused to restrict access to specific system resources. Further, according to\nFederal Information Processing Standards Publication 31, \xe2\x80\x9cGuidelines for\nAutomatic Data Processing Physical Security and Risk Management,\xe2\x80\x9d June\n1974, the lack of physical controls could result in the loss of data or program\nfiles. The following problems with controlling the convenience scanners were\ndetected.\n\n       \xe2\x80\xa2   Access to the convenience scanners was not based on least privilege,\n           but was given to approximately 1,040 MOCAS clerks which allowed\n           them to enter documents into EDM without any supervision to ensure\n           that the documents were legitimate.\n\n                                     7\n\x0c           \xe2\x80\xa2   The convenience scanners installed in DFAS Columbus had no\n               physical controls to prevent unauthorized use by DFAS personnel.\n\n           \xe2\x80\xa2   During periods of inactivity there was no automatic system logoff;\n               therefore, when a legitimate user left a workstation, unauthorized\n               personnel could access the convenience scanners and could enter and\n               index documents into EDM.\n\n    DFAS could not affix individual accountability for inappropriate use of the\n    convenience scanners. Consequently, the lack of controls on convenience\n    scanners would not permit DFAS to determine whether incorrect or improper\n    modifications to contract data had been made. DFAS should incorporate access\n    controls to the convenience scanners based on least privilege, physical controls\n    to prevent unauthorized use, and an automatic inactivity user logout.\n\nEDM Security Test and Evaluation\n    Access controls were not sufficient because the EDM program office did not\n    correct deficiencies in password management, audit log configuration,\n    Document Capture Center accountability, and convenience scanner control.\n    DFAS first identified the EDM deficiencies in a 1998 security test and\n    evaluation conducted to accredit EDM. The August 1998 EDM security test\n    and evaluation report identified access control deficiencies in the same areas we\n    identified in this audit and the August 1998 EDM risk assessment report\n    identified possible solutions to the deficiencies that were reported in the security\n    test and evaluation. However, the EDM Program Office did not correct all the\n    deficiencies and had the misconception that it did not need to correct all the\n    identified findings after the DFAS Chief Information Officer granted the\n    accreditation. Additionally, because of an administrative oversight, the DFAS\n    Chief Information Officer did not conduct the required reviews to determine\n    whether the EDM Program Office had corrected the deficiencies.\n\n    According to the EDM accreditation letter, August 7, 1998, the program office\n    was to fully implement all recommended countermeasures identified in the final\n    risk assessment report. However, the program office did not implement all the\n    necessary corrections to the access and physical controls that were identified.\n    The accreditation letter also stated that the DFAS Chief Information Officer was\n    to annually review the progress of the program office. However, the DFAS\n    Chief Information Officer did not request any review to be performed in\n    accordance with the accreditation letter. Our review of the EDM access\n    controls confirmed that the same deficiencies still existed in password\n    management, audit log configuration, Document Capture Center accountability,\n    and convenience scanner control. This is the second time these EDM\n    deficiencies have been identified, once in the EDM security test and evaluation,\n    performed in May and June 1998, and again in this audit.\n\n    EDM Program Office Implementation of Security Corrections. Because the\n    program office did not implement all the necessary corrections to the findings\n    identified in the security test and evaluation completed on August 7, 1998, EDM\n\n\n                                        8\n\x0c          lacked assurance that misuse or unauthorized activities would be detected. The\n          program office did not implement all the necessary corrections to the access\n          controls because they believed that once the DFAS Chief Information Officer\n          accredited EDM, it was not necessary to correct the findings in the security test\n          and evaluation. The program office should correct the outstanding security test\n          and evaluation findings in password management, audit logs, the Document\n          Capture Center, and the convenience scanners.\n\n                      DFAS Chief Information Officer Review of Security Corrections.\n          In the August 7, 1998, EDM accreditation letter the DFAS Chief Information\n          Officer stated that he would review the progress of the EDM program office to\n          ensure that EDM deficiencies were corrected. However, because the DFAS\n          Chief Information Officer did not review the progress of the EDM program\n          office, the program office did not consider implementing all the identified\n          countermeasures. DFAS Chief Information Officer personnel stated that it is\n          their policy to conduct reviews to ensure that open security test and evaluation\n          findings are closed. However, the EDM security reviews did not occur because\n          of an administrative oversight. The DFAS Chief Information Officer should\n          conduct and document required reviews as stated in the accreditation\n          documentation.\n\nManagement Actions\n          Reaccreditation Efforts. EDM at DFAS Columbus was certified and\n          accredited on August 7, 1998. This accreditation will expire on August 7,\n          2001. As of November 29, 2000, a DFAS Arlington2 official indicated that\n          reaccreditation efforts would be limited because the indexing and workflow\n          subsystems of the EDM system may be incorporated into DPPS before 2002.\n          Therefore, only the scanning portion of EDM would continue to be needed.\n          DPPS is a DFAS initiative to consolidate DoD payment processes under one\n          system. If DPPS incorporates the indexing and workflow portions of EDM,\n          then reaccreditation efforts may not be necessary. However, components of\n          EDM that will be incorporated into DPPS must have any deficiencies corrected\n          to ensure that DPPS can be certified and accredited.\n\n          Efforts Taken by DFAS. DFAS is attempting to mitigate some of the\n          password controls and convenience scanner weaknesses.\n\n                  Password Improvements. Personnel at DFAS Arlington stated that they\n          have implemented password controls on the local area network at DFAS\n          Columbus. The password controls on the network include the requirement that\n          all users use an eight-character password, with at least one number and one\n          special character including upper and lower cases. Also, the passwords must be\n          changed every 90 days. DFAS Arlington personnel stated that because users\n          must log into the network before using EDM, the improved password controls\n          on the network pass through to EDM.\n\n\n\n2\n    DFAS Arlington is the site of DFAS headquarters.\n\n                                                   9\n\x0c            Although these changes are an improvement, they do not necessarily\n   strengthen identification and authentication for the EDM user because specific\n   logon and password controls for EDM have not changed. Because most\n   personnel at DFAS Columbus have access to the local area network, it would\n   still be possible for unauthorized personnel to gain EDM access even with the\n   improvements to the network passwords. Without strong password controls,\n   EDM remains vulnerable to unauthorized access and possible misuse or loss of\n   system resources. Therefore, DFAS should develop access controls for users of\n   EDM that allow users to change passwords without any assistance.\n\n           Convenience Scanner Modifications. DFAS Columbus has made\n   improvements to limit access to the convenience scanners. At the time of our\n   review, there were 14 convenience scanners installed within the 3 payment\n   divisions at DFAS Columbus. Each convenience scanner is directly connected\n   to a workstation that has the EDM application software loaded that any MOCAS\n   clerk that had EDM access could use. However, the EDM project manager at\n   DFAS Columbus implemented a separate scanning area for each of the three\n   payment divisions. The new scanning areas are still in an open area, but with\n   only 10 people in each division responsible for using the convenience scanners.\n   The EDM project manager at DFAS Columbus has made a request to the\n   systems administrator for the next system upgrade to include least privilege\n   controls to be incorporated into the convenience scanner workstations, so that\n   only authorized personnel have the ability to scan and index.\n\n           Although some policy improvements have been made regarding the use\n   of the convenience scanners, workstations still remain in an open area without\n   least privilege or physical controls to prevent unauthorized personnel from\n   entering documents into the EDM system. DFAS should implement the\n   proposed improvements in least privilege (as requested by the EDM project\n   manager at DFAS Columbus) and incorporate physical controls into the\n   convenience scanning area.\n\nSummary\n   Access and physical controls for the EDM system at DFAS Columbus did not\n   provide reasonable assurance that the documents contained in the system were\n   adequately protected. As such, the EDM security weakness increased the risk\n   for undetected alteration or misuse. Access controls over EDM were not\n   sufficient to provide users of the system with reasonable assurance that\n   electronic data used by DFAS Columbus were accurate.\n\n   Password controls were not adequate because EDM users lacked the ability to\n   change passwords without the assistance of the system administrator; therefore,\n   DFAS should establish access controls for users of EDM that allow users to\n   change passwords without any assistance. The audit log feature for EDM was\n   not fully turned on and could not positively identify users and their actions;\n   therefore, DFAS should establish audit log generation and maintenance into\n   EDM that can positively identify users and their actions. In the Document\n   Capture Center, every high-volume scanner had a single username and password\n\n\n                                      10\n\x0c    for all personnel, multiple incorrect sequential attempts to logon could be made\n    without the system locking the user out, and during periods of inactivity, the\n    system did not automatically log the user out; therefore, DFAS should\n    incorporate individual identification and authentication and an inactivity logout\n    for operators of the high volume scanners. Access to the convenience scanners\n    was based on access to EDM, not on least privilege, no physical controls existed\n    to prevent unauthorized use, and during periods of inactivity the system did not\n    automatically logout the user; therefore, DFAS should incorporate access\n    controls into the convenience scanners based on least privilege, physical controls\n    to prevent unauthorized use, and an automatic inactivity user logout.\n\n    DFAS Columbus should correct the outstanding security test and evaluation\n    findings, which addresses the finding in this report. The DFAS Chief\n    Information Office should conduct and document required reviews as stated in\n    the accreditation documentation.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    We recommend that the Director, Defense Finance and Accounting Service:\n\n           1. Establish access controls for users of Electronic Document\n    Management at the Defense Finance and Accounting Service Columbus that\n    allow users to change passwords without any assistance.\n\n             DFAS Comments. DFAS concurred. DFAS will incorporate password\n    change improvements when EDM Release 5.0 is deployed in July 2001. EDM\n    Release 5.0 will provide users with the capability to change their password from\n    the initially assigned generic password, and will require users to change\n    passwords at least every 60 days.\n\n         2. Establish audit log generation and maintenance into Electronic\n    Document Management at the Defense Finance and Accounting Service\n    Columbus that can positively identify users and their actions.\n\n            DFAS Comments. DFAS partially concurred. DFAS stated audit\n    tracking is very important to them, and they have taken actions to positively\n    identify users. However, due to limitations in the EDM software, some users\n    have inappropriate access and rights that can not be recorded by audit logs.\n    DFAS will eliminate this limitation in a software release before December 31,\n    2001.\n\n           Audit Response. DFAS comments are responsive.\n\n           3. Incorporate individual identification and authentication and an\n    inactivity logout for operators of the high volume scanners within the\n    Document Capture Center at the Defense Finance and Accounting Service\n    Columbus.\n\n\n                                        11\n\x0c        DFAS Comments. DFAS partially concurred. DFAS stated the\nsoftware application controlling the high volume scanners was not designed to\nsupport individual identification and authentication or an inactivity logout\nfeature. DFAS has asked the contractor to evaluate the establishment of an\nindividual username and password as well as an inactivity logout feature. The\ncontractor was to provide an estimate of the level of changes required by\nMarch 31, 2001. Until system improvements can be made, the users have been\ninstructed to log off the scanners when not in use.\n\n        Audit Response. DFAS comments are partially responsive. Based on\nthe anticipated completion of the contractor evaluation, DFAS needs to identify\nthe specific corrective actions that will be taken and when the actions will be\naccomplished. We request that DFAS provide a completion date for the\nincorporation of individual identification and authentication and an inactivity\nlogout for the operators of the high volume scanners in comments to the final\nreport.\n\n        4. Incorporate access controls to the Electronic Document\nManagement convenience scanners at the Defense Finance and Accounting\nService Columbus based on least privilege, physical controls to prevent\nunauthorized use, and an automatic inactivity user logout.\n\n        DFAS Comments. DFAS concurred. DFAS stated they have\ndeveloped initiatives to incorporate access controls for the EDM convenience\nscanners that include access only for designated users and the identification of\nthose users. Identification of users will be incorporated in a future software\nrelease scheduled to occur before December 31, 2001. The automatic inactivity\nlogout feature has been set at 2-3 hours; however, DFAS is reviewing this\npolicy and will provide the contractor with a new inactivity logout setting.\nAdditionally, DFAS has reduced the number of convenience scanners to three\nand incorporated procedural controls to control access to the convenience\nscanners.\n\n       5. Conduct and document required reviews as stated in the\nElectronic Document Management accreditation letter.\n\n        DFAS Comments. DFAS concurred. The DFAS Chief Information\nOfficer stated they are improving processes and procedures to review system\ncertification and accreditation status. The improvements include making\nmodifications to the System Inventory Database to improve the process of\ncapturing system accreditation status. The System Inventory Database is used to\nverify system accreditation status. Additionally, program managers and\nInformation System Security Managers are required to update the System\nInventory Database when system security changes occur. The improvement to\nthe review process will be completed by October 2001.\n\n\n\n\n                                   12\n\x0cAppendix A. Audit Process\n\nScope\n    Work Performed. We performed the audit at DFAS Arlington, Arlington,\n    Virginia, and at DFAS Columbus, Columbus, Ohio, from August 2000 through\n    January 2001. We reviewed how DFAS implemented access controls for EDM.\n    We interviewed the DFAS Columbus EDM project manager and obtained a\n    detailed understanding of EDM. We reviewed the security agreement, the\n    security test and evaluation plan and results of the test, the certification and\n    accreditation documentation, and the EDM Security Plan.\n\n    Limitations of Audit Scope. The audit was limited to the review of the general\n    controls for the EDM system at DFAS Columbus. Based on our assessment of\n    the general controls, we determined that a review of the application controls\n    should not be conducted at this time. Previous reports on the Electronic\n    Document Interchange and Electronic Document Access have been issued.\n\n    DoD-Wide Corporate-Level Government Performance and Results Act\n    Goals. In response to the Government Performance and Results Act, the\n    Secretary of Defense annually establishes DoD-wide corporate-level goals,\n    subordinate performance goals, and performance measures. This report pertains\n    to achievement of the following goal and subordinate performance goal:\n\n           \xe2\x80\xa2   FY 2001 DoD Corporate-Level Goal 2: Prepare now for an\n               uncertain future by pursuing a focused modernization effort that\n               maintains U.S. qualitative superiority in key warfighting capabilities.\n               Transform the force by exploiting the Revolution in Military Affairs,\n               and reengineer the Department to achieve a 21st century\n               infrastructure. (01-DoD-2)\n\n           \xe2\x80\xa2   FY 2001 Subordinate Performance Goal 2.5: Improve DoD\n               financial and information management. (01-DoD-2.5)\n\n    DoD Functional Area Reform Goals. Most major DoD functional areas have\n    also established performance improvement reform objectives and goals. This\n    report pertains to achievement of the following functional area objectives and\n    goals:\n\n           \xe2\x80\xa2   Financial Management Area. Objective: Strengthen internal\n               controls. Goal: Improve compliance with the Federal Managers\n               Financial Integrity Act. (FM-5.3)\n\n\n\n\n                                        13\n\x0c           \xe2\x80\xa2   Information Technology Management Area. Objective: Ensure\n               that DoD vital information resources are secure and protected.\n               Goal: Assess information assurance posture of DoD operational\n               systems. (ITM-4.4)\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the Department of Defense. This report\n    provides coverage of the Information Management and Technology and the\n    Defense Financial Management high-risk areas.\n\n\nMethodology\n    Use of Computer-Processed Data. We did not use computer-processed data to\n    perform this audit.\n\n    Use of Technical Assistance. We did not use technical assistance to perform\n    this audit.\n\n    Audit Type, Dates, and Standards. We performed this financial-related audit\n    from August 2000 through January 2001 according to auditing standards issued\n    by the Comptroller General of the United States, as implemented by the\n    Inspector General, DoD. We used the General Accounting Office Federal\n    Information Systems Control Audit Manual and the DoD Information\n    Technology Security Certification and Accreditation Process as guides for\n    conducting this general control review.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DoD. Further details are available on request.\n\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program\n    Procedures,\xe2\x80\x9d August 28, 1996, require DoD organizations to implement a\n    comprehensive system of management controls that provides reasonable\n    assurance that programs are operating as intended and to evaluate the adequacy\n    of the controls.\n\n    Scope of the Review of the Management Control Program. We reviewed the\n    adequacy of management controls in place for EDM. Specifically, we reviewed\n    the implementation of DoD policies and procedures governing EDM. We\n    reviewed management\xe2\x80\x99s self-evaluation applicable to those management\n    controls.\n\n    Adequacy of Management Controls. We identified material management\n    control weaknesses as defined by DoD Instruction 5010.40. Management\n    controls were not adequate to ensure the accuracy of electronic transactions\n    using EDM. All recommendations in this report, if implemented, will provide\n                                       14\n\x0cthe necessary controls for ensuring the accuracy of the electronic transactions.\nA copy of this report will be provided to the senior official responsible for\nmanagement controls in the office of the Assistant Secretary of Defense\n(Command, Control, Communications and Intelligence); DFAS Arlington; and\nDFAS Columbus.\n\nAdequacy of Management\xe2\x80\x99s Self-Evaluation. DFAS Columbus officials did\nnot identify EDM as an assessable unit and, therefore, did not identify or report\nthe material management control weaknesses identified by the audit. Also, had\nDFAS management been aware of the results of the EDM security test and\nevaluation and implemented corrective actions, a management control weakness\ncould have been avoided.\n\n\n\n\n                                    15\n\x0cAppendix B. Prior Coverage\n\nGeneral Accounting Office\n\n    GAO Report No. GAO/AIMD 99-107 (OSD Case No. 1835), \xe2\x80\x9cInformation\n    Security: Serious Weaknesses Continue to Place Defense Operations at Risk,\xe2\x80\x9d\n    August 26, 1999\n\n    GAO Report No. GAO/AIMD 98-92 (no OSD case number was issued),\n    \xe2\x80\x9cInformation Security \xe2\x80\x93 Serious Weaknesses Place Critical Federal Operations\n    and Assets at Risk,\xe2\x80\x9d September 23, 1998\n\n\nInspector General, DoD\n\n    Inspector General, DoD, Report No. D-2001-095, \xe2\x80\x9cGeneral Controls Over the\n    Electronic Data Interchange,\xe2\x80\x9d April 6, 2001\n\n    Inspector General, DoD, Report No. D-2001-029, \xe2\x80\x9cGeneral Controls Over the\n    Electronic Document Access System,\xe2\x80\x9d December 27, 2000\n\n    Inspector General, DoD, Report No. 98-057, \xe2\x80\x9cDefense Finance and Accounting\n    Service Acquisition Program for the Electronic Document Management\n    Program,\xe2\x80\x9d January 27, 1998\n\n    Inspector General, DoD, Report No. 98-013, \xe2\x80\x9cSecond User Acceptance Test of\n    the Electronic Document Management System at the Defense Finance and\n    Accounting Service Operating Location Omaha, Nebraska,\xe2\x80\x9d October 24, 1997\n\n    Inspector General, DoD, Report No. 97-050, \xe2\x80\x9cEvaluation of Controls Over\n    Workflow Applications Selected for Electronic Document Management,\xe2\x80\x9d\n    December 17, 1996\n\n    Inspector General, DoD, Report No. 96-214, \xe2\x80\x9cComputer Security for the\n    Federal Acquisition Computer Network,\xe2\x80\x9d August 22, 1996\n\n\n\n\n                                      16\n\x0cAppendix C. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\n\nDefense Organizations\nDirector, Defense Finance and Accounting Service\n   Director, Defense Finance and Accounting Service Columbus\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\n\n\n\n\n                                          17\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\n\n\n\n\n                                         18\n\x0cDefense Finance and Accounting Service,\nChief Information Officer Comments\n\n\n\n\n                       19\n\x0c20\n\x0cDefense Finance and Accounting Service,\nDirector, Contract Pay Services Comments\n\n\n\n\n                      21\n\x0c22\n\x0c23\n\x0c24\n\x0cAudit Team Members\nThe Finance and Accounting Directorate, Office of the Assistant Inspector General for\nAuditing, DoD prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nF. Jay Lane\nSalvatore D. Guli\nKimberley A. Caprio\nEric L. Lewis\nJacqueline J. Vos\nYolanda C. Watts\nTroy R. Zigler\nStephen G. Wynne\n\x0c'